diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml
index 3cd4f9b6f51..e04b523273d 100644
--- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml
@@ -4,9 +4,12 @@ status: test
 description: Detects enumeration of local system groups. Adversaries may attempt to find local system groups and permission settings
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
-author: Ömer Günal, Alejandro Ortuno, oscd.community
+    - https://www.warp.dev/terminus/linux-list-users
+    - https://medium.com/@shalinpatel./list-all-groups-in-linux-ec1372309d6f
+    - https://cloudzy.com/blog/linux-netstat-command/
+author: Ömer Günal, Alejandro Ortuno, oscd.community, CheraghiMilad
 date: 2020-10-11
-modified: 2022-11-27
+modified: 2024-12-09
 tags:
     - attack.discovery
     - attack.t1069.001
@@ -22,7 +25,22 @@ detection:
             - '/head'
             - '/tail'
             - '/more'
+            - '/ed'
+            - '/nano'
+            - '/vi'
+            - '/vim'
+            - '/emacs'
+            - '/less'
         CommandLine|contains: '/etc/group'
+    selection_3:
+        Image|endswith: '/getent'
+        CommandLine|contains: 'group'
+    selection_4:
+        Image|endswith: '/netstat'
+        CommandLine|contains: 'localgroup'
+    selection_5:
+        Image|endswith: '/id'
+        CommandLine|contains: '-Gn'
     condition: 1 of selection*
 falsepositives:
     - Legitimate administration activities